# The Get-TargetResource cmdlet.functionGet-TargetResource{[OutputType([Hashtable])]param(# Prefix of the WCF SVC File[Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$EndpointName,# Thumbprint of the Certificate in CERT:\LocalMachine\MY\ for Pull Server [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$CertificateThumbPrint,

# Pull Server is created with the most secure practices[Parameter(Mandatory)][ValidateNotNullOrEmpty()][bool]$UseSecurityBestPractices,

# Exceptions of security best practices[ValidateSet("SecureTLSProtocols")][string[]]$DisableSecurityBestPractices)

$webSite=Get-Website-Name$EndpointName

if($webSite){$Ensure='Present'$AcceptSelfSignedCertificates=$false# Get Full Path for Web.config file $webConfigFullPath=Join-Path$website.physicalPath"web.config"

# Get module and configuration path$modulePath=Get-WebConfigAppSetting-WebConfigFullPath$webConfigFullPath-AppSettingName"ModulePath"$ConfigurationPath=Get-WebConfigAppSetting-WebConfigFullPath$webConfigFullPath-AppSettingName"ConfigurationPath"$RegistrationKeyPath=Get-WebConfigAppSetting-WebConfigFullPath$webConfigFullPath-AppSettingName"RegistrationKeyPath"

# This is the 64 bit module$certNativeModule=Get-WebConfigModulesSetting-WebConfigFullPath$webConfigFullPath-ModuleName"IISSelfSignedCertModule"if($certNativeModule){$AcceptSelfSignedCertificates=$true}

# This is the 32 bit module$certNativeModule=Get-WebConfigModulesSetting-WebConfigFullPath$webConfigFullPath-ModuleName"IISSelfSignedCertModule(32bit)"if($certNativeModule){$AcceptSelfSignedCertificates=$true}}else{$Ensure='Absent'}

# Pull Server is created with the most secure practices[Parameter(Mandatory)][ValidateNotNullOrEmpty()][bool]$UseSecurityBestPractices,

# Exceptions of security best practices[ValidateSet("SecureTLSProtocols")][string[]]$DisableSecurityBestPractices)

# Check parameter valuesif($UseSecurityBestPractices-and($CertificateThumbPrint-eq"AllowUnencryptedTraffic")){throw"Error: Cannot use best practice security settings with unencrypted traffic. Please set UseSecurityBestPractices to `$false or use a certificate to encrypt pull server traffic."# No need to proceed any morereturn}

$culture=Get-Culture$language=$culture.TwoLetterISOLanguageName# the two letter iso languagename is not actually implemented in the source path, it's always 'en'if(-not(Test-Path$pathPullServer\$language\Microsoft.Powershell.DesiredStateConfiguration.Service.Resources.dll)){$language='en'}

# ============ Absent block to remove existing site =========if(($Ensure-eq"Absent")){$website=Get-Website-Name$EndpointNameif($website-ne$null){# there is a web site, but there shouldn't be oneWrite-Verbose"Removing web site $EndpointName"PSWSIISEndpoint\Remove-PSWSEndpoint-SiteName$EndpointName}

# we are done here, all stuff below is for 'Present'return}# ===========================================================Write-Verbose"Create the IIS endpoint"PSWSIISEndpoint\New-PSWSEndpoint-site$EndpointName`-path$PhysicalPath`-cfgfile$webConfigFileName`-port$Port`-applicationPoolIdentityTypeLocalSystem`-app$EndpointName`-svc$svcFileName`-mof$pswsMofFileName`-dispatch$pswsDispatchFileName`-asax"$pathPullServer\Global.asax"`-dependentBinaries"$pathPullServer\Microsoft.Powershell.DesiredStateConfiguration.Service.dll"`-language$language`-dependentMUIFiles"$pathPullServer\$language\Microsoft.Powershell.DesiredStateConfiguration.Service.Resources.dll"`-certificateThumbPrint$CertificateThumbPrint`-EnableFirewallException$true-Verbose

Update-LocationTagInApplicationHostConfigForAuthentication-WebSite$EndpointName-Authentication"anonymous"Update-LocationTagInApplicationHostConfigForAuthentication-WebSite$EndpointName-Authentication"basic"Update-LocationTagInApplicationHostConfigForAuthentication-WebSite$EndpointName-Authentication"windows"if($IsBlue){Write-Verbose"Set values into the web.config that define the repository for BLUE OS"PSWSIISEndpoint\Set-AppSettingsInWebconfig-path$PhysicalPath-key"dbprovider"-value$eseproviderPSWSIISEndpoint\Set-AppSettingsInWebconfig-path$PhysicalPath-key"dbconnectionstr"-value$esedatabaseSet-BindingRedirectSettingInWebConfig-path$PhysicalPath}else{if($isDownlevelOfBlue){Write-Verbose"Set values into the web.config that define the repository for non-BLUE Downlevel OS"$repository=Join-Path"$DatabasePath""Devices.mdb"Copy-Item"$pathPullServer\Devices.mdb"$repository-Force

PSWSIISEndpoint\Set-AppSettingsInWebconfig-path$PhysicalPath-key"dbprovider"-value$jet4providerPSWSIISEndpoint\Set-AppSettingsInWebconfig-path$PhysicalPath-key"dbconnectionstr"-value$jet4database}else{Write-Verbose"Set values into the web.config that define the repository later than BLUE OS"Write-Verbose"Only ESENT is supported on Windows Server 2016"

# The Test-TargetResource cmdlet.functionTest-TargetResource{[OutputType([Boolean])]param(# Prefix of the WCF SVC File[Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$EndpointName,

# Port number of the DSC Pull Server IIS Endpoint[Uint32]$Port=8080,

# Physical path for the IIS Endpoint on the machine (usually under inetpub) [string]$PhysicalPath="$env:SystemDrive\inetpub\$EndpointName",

# Thumbprint of the Certificate in CERT:\LocalMachine\MY\ for Pull Server[Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$CertificateThumbPrint="AllowUnencryptedTraffic",

[ValidateSet("Present","Absent")][string]$Ensure="Present",

[ValidateSet("Started","Stopped")][string]$State="Started",

# Location on the disk where the database is stored[ValidateNotNullOrEmpty()][System.String]$DatabasePath="$env:PROGRAMFILES\WindowsPowerShell\DscService",

# Location on the disk where the Modules are stored [string]$ModulePath="$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules",

# Location on the disk where the Configuration is stored [string]$ConfigurationPath="$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration",

# Location on the disk where the RegistrationKeys file is stored [string]$RegistrationKeyPath,

# Are self-signed certs being accepted for client auth.[boolean]$AcceptSelfSignedCertificates,

# Pull Server is created with the most secure practices[Parameter(Mandatory)][ValidateNotNullOrEmpty()][bool]$UseSecurityBestPractices,

# Exceptions of security best practices[ValidateSet("SecureTLSProtocols")][string[]]$DisableSecurityBestPractices)

$desiredConfigurationMatch=$true;

$website=Get-Website-Name$EndpointName$stop=$true

Do{Write-Verbose"Check Ensure"if(($Ensure-eq"Present"-and$website-eq$null)){$DesiredConfigurationMatch=$falseWrite-Verbose"The Website $EndpointName is not present"break}if(($Ensure-eq"Absent"-and$website-ne$null)){$DesiredConfigurationMatch=$falseWrite-Verbose"The Website $EndpointName is present but should not be"break}if(($Ensure-eq"Absent"-and$website-eq$null)){$DesiredConfigurationMatch=$trueWrite-Verbose"The Website $EndpointName is not present as requested"break}# the other case is: Ensure and exist, we continue with more checks

Write-Verbose"Check Port"$actualPort=$website.bindings.Collection[0].bindingInformation.Split(":")[1]if($Port-ne$actualPort){$DesiredConfigurationMatch=$falseWrite-Verbose"Port for the Website $EndpointName does not match the desired state."break}

Write-Verbose"Check State"if($website.state-ne$State-and$State-ne$null){$DesiredConfigurationMatch=$falseWrite-Verbose"The state of Website $EndpointName does not match the desired state."break}

Write-Verbose"Get Full Path for Web.config file"$webConfigFullPath=Join-Path$website.physicalPath"web.config"if($IsComplianceServer-eq$false){Write-Verbose"Check DatabasePath"switch((Get-WebConfigAppSetting-WebConfigFullPath$webConfigFullPath-AppSettingName"dbprovider")){"ESENT"{$expectedConnectionString="$DatabasePath\Devices.edb"}"System.Data.OleDb"{$expectedConnectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=$DatabasePath\Devices.mdb;"}default{$expectedConnectionString=[System.String]::Empty}}if(([System.String]::IsNullOrEmpty($expectedConnectionString))){$DesiredConfigurationMatch=$falseWrite-Verbose"The DB provider does not have a valid value: 'ESENT' or 'System.Data.OleDb'"break}

Write-Verbose"Check UseSecurityBestPractices"if($UseSecurityBestPractices){if(-not(UseSecurityBestPractices\Test-UseSecurityBestPractices-DisableSecurityBestPractices$DisableSecurityBestPractices)){$desiredConfigurationMatch=$false;Write-Verbose"The state of security settings does not match the desired state."break}}$stop=$false}While($stop)

# Helper to get current script FolderfunctionGet-ScriptFolder{$Invocation=(Get-VariableMyInvocation-Scope1).ValueSplit-Path$Invocation.MyCommand.Path}

# Allow this Website to enable/disable specific Auth Schemes by adding <location> tag in applicationhost.configfunctionUpdate-LocationTagInApplicationHostConfigForAuthentication{param(# Name of the WebSite [String]$WebSite,